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Disclaimer 
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> This presentation provides guidance to authorized institutions 
(“Als”) on issues relating to the Anti-Money Laundering and 
Counter-Terrorist Financing (Financial Institutions) Ordinance 
(“AMLO”) and the AMLO Guideline. The presentation is provided 
for training purposes and does not form part of the formal legal 
and regulatory requirements of the HKMA. It should not be 
substituted for seeking detailed advice on any specific case from 
an Al’s own professional adviser. 


> The HKMA is the owner of the copyright and any other rights in 
the PowerPoint materials of this presentation. These materials 
may be used for personal viewing purposes or for use within an Al. 
Such materials may not be reproduced for or distributed to third 
parties, or used for commercial purposes, without the HKMA’s 
prior written consent. 


> The cases or examples provided in this presentation might be 
prepared on the basis of synthesis of multiple cases, and certain 
relevant details might have been omitted. 


Institutional Risk 
Assessment — Development 





> Requirement to assess risks 
> Pre and Post AMLO 
> Revision in international standards [2012] 
> Significant emphasis on Risk Based Approach (RBA) 


> HKMA’s circular in December 2014 
> Clear articulation of supervisory expectation 
> Als should assess and understand risks at institution and 
customer level 
> Als should demonstrate effective implementation but flexibility 
afforded in execution 


> Will continue to be a focus of HKMA supervision 
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Assessment — Use fad 


> Identify and remediate gaps in AML/CFT system 
> Should be part of the Al’s self-evaluation 
> Board level decisions — should be informed by risk 
> Ensure effective implementation of control efforts 
> Develop risk appetite 
> Ensure resources aligned with risks 
> Assist in strategic decisions 


> Ensure regulators are aware of key risks 
> Operationalises the risk based approach 


Institutional Risk Assessment | 





> What level of detail is required? 


> 


> 
> 


> 


We will look at the process by which assessment is conducted, 
how conclusions are drawn 

Many ways in which requirement can be met 

Complexity will vary according to Al and development of 
assessment 

Lack of sensitivity or granularity to specific risks can dilute 
effectiveness 


> Dynamic process 


> 


Need to be kept update 
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“The risk assessment should (1) consider all relevant 
inherent ML risk factors in order to determine its risk profile 
and (2) in turn assess the nature of mitigating controls, both 
from a design and operating effectiveness standpoint, in 
order to (3) arrive at the residual risk, which should be within 
the FI’s established risk appetite.” 


Wolfsberg paper — FAQs on Risk Assessment for ML, Sanctions 
and Bribery & Corruption (2015) 


Institutional Risk Assessment 
Observations 





> Increasing number of Als recognized the importance 
of ML/TF risk assessment in risk management process 


> Improvement in depth and breadth of Als’ risk 
assessment observed 
> Some Als recognize that development will take time 


> Some Als can develop adequate risk assessment 

framework 

> Adequate coverage of all relevant risk factors 

> Quantitative analysis supporting qualitative assessment 

> Assessment of emerging and / or significant risks (e.g. sanction 
risk) 

> Trend analysis of ML/TF risks taking into account latest business 
and regulatory landscapes 


Institutional Risk Assessment ma 
Common deficiencies (1) 





> Written form of institutional risk assessment 
> Some Als provided description of AML/CFT “system” rather than 
ML/TF risk assessment 
> Irrelevant documents provided, rationale unclear (e.g. IA reports) 


> Assessment of inherent risks 
> Not the same as customer risks 
> Involves quantitative analysis and qualitative assessment 
> Al's own assessment should be more detailed / granular 


Institutional Risk Assessment 
Common deficiencies (2) 





> Provision of statistical data has proved challenging 

for some Als 

> Als should critically examine how they collect and use data for 
AML/CFT work 

> Effective AML/CFT system are data hungry 
> IT shortcomings are common features in deficient AML/CFT systems 

> Where data is not available part of action plan should include 
system remediation 


Institutional Risk Assessment a= i 
Common deficiencies (3) fd 


> Application of mitigating measures / control and 
articulation of risk appetite 
> Als should consider how mitigating measures would reduce risks 
> Link between inherent risks and mitigating measures / controls is 
a key part of the process 
> Important to consider residual risk 


> Articulation of risk appetite 
> — Is the residual risk within the appetite of the Al? If not, what actions need to 
be taken? 





Institutional Risk Assessment 
Common deficiencies (4) 





> Assessment of risks in local context 
> Risk assessment developed at regional / global level must take 
into account local ML/TF risks 
> ML/AF risk assessment should cover overseas branches / 
subsidiaries 


> Others 
> Should not read as a “good news” document 


> Risk assessment should honestly reflect the ML/TF risk level and 
effectiveness of the control 
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BCBS paper — Sound Management of ML/TF Risks (Jan 2014) 
(Atto-//www.bis.org/publ/bcbs275.pdi) 

> FATF paper — Risk-Based Approach for the Banking Sector (Oct 
2014) 


(http://www. fatf-gafi.org/media/fatf/documents/reports/Risk-Based-Approach-Banking-Sector.pdf) 





> Wolfsberg paper — FAQs on Risk Assessment for ML, Sanctions and 
Bribery & Corruption (Sep 2015) 
(http://www. wolfsberg-principles.com/pdf/home/Wolfsberg-Risk-Assessment-FAQs-2015. pdf) 

> HKMA circular — ML/TF Risk Assessment (19 Dec 2014) 


(Attp://www.hkma.gov.hk/media/eng/doc/key-information/guidelines-ana- 
circular/2014/20141219e1.pdf) 


> HKMA inSight article — The Importance of Robust AML Controls (4 
Jun 2015) 
(Attp://www.hkma.gov.hk/eng/key-information/insight/20 150604.shtml) 





Thank You 





